wireless networks: challenges, threats and solutions

1

Wireless Networks: Challenges, Threats and Solutions

Shehla RanaFurquan Shaikh

2

Talk Outline• Introduction to wireless networks

• How wireless is different

• Misbehavior in Wireless Networks

• Security Threats in Wireless Networks

• IEEE 802.11 Security Tools

3

Wireless Networks• Computing and communication

services, over the air, on the move

• Infrastructure-based Networks

• Ad hoc Networks

4

Infrastructure Mode• Single hop wireless connectivity

o An Access Point is responsible to communicate with end-points in its “jurisdiction”

Wired Network

Wireless AP

5

Mobile Ad Hoc Networks (MANET)

• No access point• Network formed by multiple wireless end-

points• Multi-hop wireless links• Data must be routed via intermediate nodes

• Host movement/ topology change may be frequent

A B AB

6

Why Ad Hoc Networks ?

• Setting up of fixed access points and backbone infrastructure is not always viableo Infrastructure may be absent/destroyed

in a disaster area or war zone

oEasy, fast deployment

oDo not need backbone infrastructure support

7

Wireless Mesh Networks (WMN)

• No Access Point

• Multiple, autonomous wireless end-points relaying data for each other

• Little or no mobility

• Long-term applications

• Weaker energy constraints

8

Wireless Sensor Networks (WSN)

• A class of Ad-hoc/mesh networks

• Composed of small, inexpensive, resource constrained devices

• Sensing data usually directed towards a single “Sink”

• Multi-hop wireless links

9


• How is Wireless different



10

How is wireless different?

• Can we apply media access methods from fixed networks?o CSMA/CD?o Send when medium is free, listen into the

medium for collision

• Medium access problems in wireless networkso sender may apply CS and CD, but collisions

happen at receivero sender may not ‘hear’ the collision, i.e., CD

doesn’t worko CS might not work, e.g. ‘hidden’ terminals

11

MAC: Collision Avoidance• Collision avoidance: Once channel

becomes idle, wait for a randomly chosen duration before attempting to transmit

• IEEE 802.11o When transmitting, choose a backoff in range

[0,cw]; o Count down backoff when medium is idleo Count-down suspended if medium becomes

busyo When backoff interval reaches 0, transmit

12





13

• Misbehavior at the MAC layero Impatient Transmitterso Solutions and Challenges

• Misbehavior at the network layer o Drop, corrupt packetso Misroute packetso Solutions and Challenges

Misbehavior in Wireless NWs: Outline

14

Possible Misbehaviors:“Impatient” Transmitters

• Choose smaller Backoff

• Cause collisions with other hosts’ packets

• Those hosts will exponentially backoff on packet loss, giving free channel to the misbehaving host

• Must diagnose and discourage!

Wireless channel

Access Point

A B

15

Solution 1: Passive Observation

• Receiver observes sender behavior. Are backoffs too short?

• Challenge: Receiver does not know exact backoff value chosen by sendero Sender chooses random backoffo Hard to distinguish between maliciously chosen

small values and a legitimate valueo How long must receiver observe?

16

Solution 2: Rx driven Backoff

• Remove the non-determinism

• Receiver provides backoff values to sendero Receiver specifies backoff for next packet

in ACK for current packeto Backoffs of different nodes still

independento Uncertainty of senders backoff eliminated

17

Misbehavior in Wireless NWs: Outline• Misbehavior at the MAC layer

o Impatient Transmitterso Solutions and Challenges

• Misbehavior at the network layer o Drop, corrupt packetso Misroute packetso Solutions and Challenges

18

Drop/Corrupt/Misroute

• A node “agrees” to join a route(for instance, by forwarding route request/reply) but fails to forward packets correctly

• Why: Conserve energy, overload, launch a denial-of-service attack

19

Solution: Watchdogs• Exploit broadcast nature• Verify whether a node has forwarded a packet or

not

B DC EA

B sends packet to C

20

Watchdogs at Work• B can ‘hear’ whether C has forwarded packet or

not• B can also know whether packet is tampered

with if no per-link encryption

B DC EA

C forwards packet to DB overhears CForwarding the packet

21

Watchdog At Work• Forwarding by C may not be immediate: B must

buffer packets, and compare them with overheard packets

• If packet stays in buffer at B too long, a “failure tally” for node C is incremented

• If the failure rate is above a threshold, C is determined as misbehaving, and source node informed

22

Watchdog Approach:Challenges

• Impact of Collisions• If A transmits while C is forwarding to D, B will not

know

B DC EA

C forwards packet to D

23


• Reliability of Reception Not Known• Even if B sees the transmission from C, it cannot

always tell whether D received the packet reliably

Misbehaving C may reduce power such that B can receive from C, but D does not

B DC EA

C forwards packet to D

24


• Misdirection of Packets• C forwards packets, but to the wrong node!• With DSR, B knows the next hop after C, so this

misbehavior may be detected

• With other hop-by-hop forwarding protocols, B cannot detect this

B DC EA

F

25

Solution 2: Exploiting Path Redundancy

• Design routing algorithms that can deliver data despite misbehaving nodes

• “Tolerate” misbehavior by using disjoint routes

• Prefer routes that deliver packets at a higher “delivery ratio”

26

Best-Effort Fault Tolerant Routing (BFTR)

• The target of a route discovery is required to send multiple route replies (RREP)o The source can discover multiple routes

(all are deemed feasible initially)

1. Source chooses a feasible route based on the “shortest path”metric

2. Source uses this route until its delivery ratio falls below a threshold (making the route infeasible)

3. If existing route is deemed infeasible, go to (1)

27

BFTR: Issues• A route may look infeasible due to temporary

overload on that route

• The source may settle on a poorer (but feasible) route

• No direct mechanism to differentiate misbehavior from lower capacity routes

28

Solution 3: Micropayments

• Provide incentive for relaying packets• A trusted third party: Accounting center• Three phases:• Communication:

o Source/dest issue payment receipts to intermediate nodes

• Receipt Submission:o Relays claim their payments

• Payment Redemption:o AC processes the receipts and issues payment

29

Route Tampering Attack

• A node may make a route appear too long or too short by tampering with RREQ

• By making a route appear too long, the node may avoid the route from being usedo This would happen if the destination replies to

multiple RREQ

• By making a route appear too short, the node may make the source use that route, and then drop data packets (denial of service)

30

Wormhole Attack• Attacker makes a wireless ‘link’

appear in the network when there isn’t one

• Not necessarily detrimental, since the additional link can improve performance

• Attacker assumes control on the fate of the traffico May analyze traffico Collect traffic for breaking encryption

31

Wormhole Attack • Host X can forward packets from F and E

unaltered • Hosts F and E will seem ”adjacent” to each other

• The fact that AFE really is AFXE will not be detected

B D

XE

A

F

C

32

Solution: Packet Leashes

• Additional information added to packets to restrict maximum transmission distance of a packet

• Geographical leasheso RX checks distance from the sendero Signature to authenticate sender location, timestampo Distance too large, reject the packet

• Temporal Leasheso Sender timestamps the packet, and receiver

determines the delay since the packet was sento If delay too large, reject the packeto Sender cannot know MAC delays

33

Wireless Misbehavior: Summary

• Hosts may be misbehave or try to compromise security at all layers of the protocol stack

• MAC Layero Disobey protocol specifications for selfish gainso Denial-of-service attacks

• Network Layero Disrupt route discovery/maintenanceo Force use of poor routes (e.g., long routes)o Delay, drop, corrupt, misroute packets

34





35

Wireless Security Vulnerabilities

• Traffic Analysis• Passive Eavesdropping• Unauthorized Access• Man-in-the-middle• Session Hijacking• Replay Attack• Rogue AP• DoS Attacks• Pollution Attacks

36

Traffic Analysis• Need:oA wireless card in promiscuous

listening mode

• Threats:oDetect activity on the networkoUsing AoA, get physical location of

transmitteroType of protocols under use

37

Passive Eavesdropping• No physical security

protects against this!

• More than 50% APs use no encryption

• Attacker can get:Actual dataSource,

destination, timing of packets www.rsa.com/rsalabs/.../kaliski-wireless-security-wwc-

2003.ppt

38

Man-in-the-middle Attack

• Real-time attack• Read/modify data in transit

o Violate integrity

39

Session Hijacking• Attacker takes an authenticated session

• Target assumes its session is broken/lost

• Attacker can use the session for anything, for any amount of time

• Real time attack

• Integrity of session

40

Session Hijacking

Attacker

TargetWired Network

Wired Network

Attacker

Target

41

Replay• Similar to session hijacking except timing!

Wired Network

Attacker

Attacker

Target

TargetWired Network

42

Summary• Introduction to wireless networks




Introduction to WEP• Original security protocol for IEEE 802.11

standard• Wired Equivalent Privacy – Create the “privacy

achieved by a wired network”• Considered as secure as a wired network• Primary Goal: Protect the confidentiality of user

data from eavesdropping• Based on RC4 algorithm, which is a symmetric

key stream cipher

WEP - Secret Key• Relies on a secret key that is shared between a

mobile station and an access point• Encrypt packets before they are transmitted, and

an integrity check to ensure that packets are not modified during transition

• Same key shared between all mobile stations and an access point in a network

WEP - Authentication

STA AP

Authenticate (request)Authenticate (challenge)Authenticate (response)Authenticate (success)

Stream Cipher Operation

Electronic Code Book Mode

Initialization Vectors (IV)

• Used to alter the key stream• Numeric value that is concatenated to the base

key before the key stream is generated• Every time IV changes, so does the key stream• 802.11 standard recommends that IV change on a

per-frame basis• If same packet is transmitted twice, the resulting

cipher-text will be different for each transmission

Encryption with IV

WEP Encryption• Checksum – uses CRC32• Encryption – uses RC4• Transmission –

ciphertext appended with IV

Message CRC

XOR

Keystream = RC4(IV,k)

CiphertextIV

WEP Decryption

Message CRC

XORKeystream =

RC4(IV,k)

CiphertextIV

Goals of Security• Authentication• Access control• Replay Protection• Message modification detection• Message privacy

1) Authentication• It is one party proving to other that he/she really

is who they claim to be.• Requirements:

(1) Robust method of proving identity that cannot be spoofed(2) Method of preserving identity over subsequent transactions that

cannot be transferred(3) Mutual authentication(4) Authentication keys independent from encryption keys

How rule 1 fails?• P XOR K = C

• C XOR P = KSTA

Bad STA

AP

Challenge

Plai

ntex

t (P)

Response + IV

Cipher

text

(C)

+ IVChallenge

Response + IV

2) Access Control• Process of allowing or denying a mobile device to

communicate with the network• IEEE 802.11 does not define any access control

mechanism• APs might use a list of acceptable MAC addresses• Problem? MAC address can be easily spoofed• Last line of defense? On receiving an IV error,

deny access to that station

3) Replay Detection• Legitimate user actions captured by an attacker• Attacker replays the message ( login response

message spoofing the MAC address )• WEP should allow only one copy of a message to

be accepted EVER• No protection whatsoever in WEP

Replay Attack

Authorized WEP communications

Good guy STA

Good guy AP

Bad guy (STA or AP)

Eavesdrop and record

Play back selections

4) Message modification

• To prevent tampering, WEP includes a check field called integrity check value(ICV).

• Problem? CRC method used to compute the ICV is called a linear method

• Thus, C (M XOR M’) = C(M) XOR C(M’)• Possible to predict what bits in ICV change on

changing a bit in data

Message modification• Let the message-CRC pair be <M, C(M)>• The corresponding ciphertext would be:

Ciph(M) = <M,C(M)> XOR K = K XOR <M,C(M)>• Suppose we want to change M by d:

Ciph(M) XOR <d,C(d)>= K XOR <M,C(M)> XOR <d,C(d)>= K XOR <M XOR d, C(M XOR d)>= K XOR <M’, C(M’)>= Ciph (M’)

5) Privacy• Weaknesses in the way RC4 is used in WEP:

1) IV Reuse2) Weak RC4 keys

Key Reuse• Encrypting two messages with same IV and key

can reveal information about both messages:C1 = P1 XOR RC4(IV,k)C2 = P2 XOR RC4(IV,k)C1 XOR C2 = P1 XOR P2

Key Reuse - Problems• XORing the two ciphertexts causes the keystream

to cancel out.• If one plaintext is known, other can be easily

calculated• Real-world plaintexts have enough redundancy so

that one can recover both P1 and P2• Known techniques for solving such plaintext XORs

by looking for two English texts that XOR to given value P1 XOR P2

How WEP deals with this?

• Use a different IV for every packet that is transmitted

• Problem?o IV is sent in plaintext form along with the transmitted packeto Attacker knows the IV as well

Possible Attack• Key rarely changes. • IV size is 24 bits.• Reuse of IV causes reuse of RC4 keystream• Since IV is public, duplicate IVs can be easily

detected by the attacker• Over a period of time, attacker can collect IVs and

corresponding ciphertexts

RC4 Weak Keys• RC4 has weak keys

– Greatly aids crypto analysis– There are standard techniques to avoid the

weak keys but WEP does not use these techniques.

• Airsnort and Wepcrack tools leverage weak keys

IEEE 802.11i

Introduction to 802.11i

• Addendum to the base standard that specifies new generation of security

• Defines a new type of wireless network called Robust Security Network(RSN)

Goals• Replace WEP by protocol that properly uses

encryption• Add proper authentication• Add data authenticity and integrity• Tie data link keys to authentication• Manufacture “fresh” keys

Security Service Dependencies

Data Confidentiality

Authentication

Authorization

Data Integrity

802.11i Architecture

PHY

MAC_SAP

MAC

802.1X Uncontrolled

Port

802.1X Controlled

Port

Station Management Entity

802.1XAuthenticator/

Supplicant

Data Link

Physical

PMD

802.11i State MachinesWEP/TKIP/CCMP

Data

TK

PTK PRF(PMK)(PTK = KCK | KEK |

TK)

Operation

72

Data protection

802.1X authentication

802.1X key management RADIUS-based key distribution

Security capabilities discovery

Authentication ServerAccess PointStation

Security negotiation

Discovery phase• Determine promising parties with whom to

communicate• AP advertises network security capabilities to STA via

beacon and probe responseo SSID in Beacon, Probe provides hint for right

authentication credentials• Performance optimization only; no security value

o RSN Information Element advertises• All enabled authentication suites• All enabled unicast cipher suites• Multicast cipher suite

• STA selects authentication suite and unicast cipher suite in Association Request

802.1x Authentication• STA determines whether it indeed does need to

communicate• Mutually authenticate STA and AS• Generate master key as a side effect of

authentication• Use master keys to generate session keys =

authorization token

Discovery and Authentication

Probe Request

Probe Response + RSN IE (AP supports CCMP Mcast, CCMP Ucast, 802.1X Auth)

802.11 Open System Auth

802.11 Open Auth (success)

Association Req + RSN IE (STA requests CCMP Mcast, CCMP Ucast,

802.1X Auth)

Association Response (success)

Access Point

Station

RADIUS phase• AS moves session key(PMK) to STAs AP

• Bind PMK to STA and AP• Confirm both AP and STA possess PMK• Generate fresh operational key (PTK)• Prove each peer is live• Synchronize PTK use

802.1x Key Management

Another look at the layers

802.11i Key Hierarchy

Key Confirmation Key (KCK) – PTK

bits 0–127

Key Encryption Key (KEK) – PTK

bits 128–255

Temporal Key – PTK bits 256–n – can have cipher suite specific structure

Pairwise Master Key (PMK) : 256 bit Access token

Pairwise Transient Key (PTK) = 802.11i-PRF(PMK, min(AP Nonce, STA Nonce) || max(AP nonce, STA Nonce) || min(AP

MAC Addr, STA MC Addr) || max(AP MAC Addr, STA MAC Addr))

Another look at the basic operation

Begin filtering non-802.1X data MPDUs

Begin filtering non-802.1X data MPDUs

AP

Association Request

Association Response

EAP type specific mutual authentication

4-Way Handshake

Group Key Handshake

Allow data MPDUs protected by

pairwise, group keys

Allow data MPDUs protected by

pairwise, group keys

STA

4-way handshake

EAPOL-Key(Reply Required, Unicast, ANonce)

Pick Random ANonce

EAPOL-Key(Unicast, SNonce, MIC, STA RSN IE)

EAPOL-Key(Reply Required, Install PTK, Unicast, ANonce, MIC, AP RSN IE, GTK)

Pick Random SNonce, Derive PTK = 802.11i-PRF(PMK, ANonce || SNonce || AP MAC Addr || STA MAC Addr)

Derive PTK

EAPOL-Key(Unicast, MIC)

STA

PMK PMK

Key Management Summary

• 4-Way Handshakeo Establishes a fresh pairwise key bound to STA

and AP for this sessiono Proves liveness of peerso Demonstrates there is no man-in-the-middle

between PTK holders if there was no man-in-the-middle holding the PMK

o Synchronizes pairwise key use• Group Key Handshake provisions group

key to all STAs

Key Management Summary

Data Transfer Overview

• 802.11i defines 2 protocols to protect data transfer:o TKIP : Legacy deviceso CCMP: Better security for new devices

• Why two protocols instead of one?

TKIP• TKIP: Temporal Key Integrity Protocol• Designed as a wrapper around WEPoCan be implemented in softwareoReuses existing WEP hardwareoRuns WEP as a sub-component

TKIP Design Challenges

• Mask WEP’s weaknesses…o Prevent data forgeryo Prevent replay attackso Prevent encryption misuseo Prevent key reuse

• On existing AP hardwareo Utilize existing WEP off-load hardwareo Software/firmware upgrade onlyo Don’t unduly degrade performance

TKIP Design – Replay Protection

Protect against replay • reset packet sequence # to 0 on rekey • increment sequence # by 1 on each packet• drop any packet received out of sequence

Access Point

Wireless Station

Hdr Packet n

Hdr Packet n + 1

Hdr Packet n

CCMP• Mandatory to implement: the long-term

solution• Based on AES in CCM mode

o CCM = Counter Mode Encryption with CBC-MAC Data Origin Authenticity

o AES overhead requires new AP hardwareo AES overhead may require new STA hardware

for hand-held devices, but not PCs• An all new protocol with few concessions

to WEP• Protects MPDUs = fragments of 802.2

frames

Overview

• Use CBC-MAC to compute a MIC on the plaintext header, length of the plaintext header, and the payload

• Use CTR mode to encrypt the payloado Counter values 1, 2, 3, …

• Use CTR mode to encrypt the MICo Counter value 0

Header Payload MIC

Authenticated

Encrypted

Operation

Sm

Br

E ...

B1 Bk

Header Payload MIC

A1 E E A0 E

... 0

padding

0

padding

Bk+1...

... E

Sm...S1 S0

B0

E

...

CCMP Summary• Builds on the lessons learned from IEEE 802.11

and IPsec packet protocol designso Relies on proper use of strong cryptographic primitives

• Strong security against all known attacks• Requires new hardware

Data Transfer Summary

WEP TKIP CCMPCipher RC4 RC4 AESKey Size 40 or 104 bits 128 bits 128 bits

encryption,64 bit auth

Key Life 24-bit IV, wrap 48-bit IV 48-bit IVPacket Key Concat. Mixing Fnc Not NeededIntegrity

Data CRC-32 Michael CCMHeader None Michael CCM

Replay None Use IV Use IVKey Mgmt. None EAP-based EAP-based

wireless networks: challenges, threats and solutions

Documents

wireless networks ieee

wep wireless networks

wireless nws

wireless networkssender

wireless networkscomputing

wireless linksdata

wireless different misbehavior

fixed networks